Kaseya Unitrends has unpatched vulnerabilities that could help attackers expand a breach

Kaseya Unitrends has unpatched vulnerabilities that could help attackers expand a breach

It must not be easy to work at Kaseya right now. While they are working as hard as they can to help customers, and customers of their customers, recover from the REvil ransomware attack at the beginning of July, a new vulnerability in their software has been disclosed.

As a sidenote, Kaseya specifically denies on their website that they did not pay the ransom ($70 million was the initial demand) to stop the critics saying they were encouraging additional ransomware attacks fed by rumors that the decryption key was obtained by paying the ransom.

In the meantime, security researchers warn of three new zero-day vulnerabilities in the Kaseya Unitrends service and advise users not to expose the service to the Internet.

Kaseya Unitrends

Kaseya offers remote monitoring and management solutions for Managed Service Providers (MSPs). MSPs are companies that facilitate the remote management of a business’s technology and network. A managed service provider will remotely manage a business’s network so the business owner doesn’t need to hire a full-time team of their own.

Unitrends is a Kaseya company and a provider of all-in-one enterprise backup and continuity solutions. It can serve as a cloud-based enterprise backup and disaster recovery solution that can be used as a stand-alone solution or as an add-on for the Kaseya VSA remote management platform.

DIVD warns again

As Victor Gevers indicated when he was a guest in our podcast about the Kaseya VSA incident, the Dutch Institute for Vulnerability Disclosure found seven or eight zero-days in the Kaseya software. In their Kaseya limited disclosure post from earlier this month you can find a list of 7 CVE identifiers.

To hear about DIVD’s investigation into Kaseya VSA, listen to our conversation with DIVD Chair Victor Gevers

But the DIVD opened a new case file for Kaseya Unitrends. The summary in that case file reveals that a DIVD researcher has identified several vulnerabilities in the Kaseya Unitrends backup product versions that are lower than 10.5.2. The recommendation to mitigate the risks posed by these vulnerabilities is to not expose this service or the clients directly to the internet until Kaseya has patched these vulnerabilities.

The DIVD is all about coordinated vulnerability disclosure. This is done because the full knowledge of the vulnerabilities might enable cybercriminals to leverage the vulnerability and do a lot of harm. Coordinated vulnerability disclosure lets the vendor know what exactly is wrong, but it also informs the users that are affected by the vulnerability what the mitigation instructions are.

So, in this case, the DIVD informed Kaseya Unitrends about the details of the vulnerability and started sharing it with 68 government Computer Emergency Response Teams (CERTs) under the TLP:AMBER designation. When sharing cyber intelligence, sources may use TLP:AMBER when information requires support to be effectively acted upon, but carries risk to privacy, reputation, or operations if shared outside of the organizations involved.

Recipients are supposed to limit the sharing of TLP:AMBER information with staff in their own organization who need to know, or with service providers to mitigate risks to the member’s organization if the providers are contractually obligated to protect the confidentiality of the information. Information can be shared with those parties specified above only as widely as necessary to act on the information.

One of the recipients, however, publicized the content by uploading it to an online analyzing platform.

“An employee uploaded the TLP: AMBER labeled directly to an online analyzing platform and shared its content to all participants of that platform; because we do not have an account on that platform, we immediately requested removing this file.”

The vulnerabilities affecting the Kaseya Unitrends backup service include a mixture of authenticated remote code execution, authenticated privilege escalation, and unauthenticated remote code execution on the client side. A threat actor would need a valid user to perform remote code execution or privilege escalation on the publicly exposed Kaseya Unitrends service. Furthermore, threat actors would already need to have breached a customer network to exploit the unauthenticated client RCE. This reduces the chance of these vulnerabilities having the same impact as the REvil attack that exploited one of the vulnerabilities within Kaseya VSA.

Stay safe, everyone!


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.